ae176ad581d67efe83434a746a5fe3ec9885a7ec251d1a400d53e48ed634f98f

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57be25415dc0e7c8390230b52f3b3cf0.exe
Size

689KB
MD5

57be25415dc0e7c8390230b52f3b3cf0
SHA1

6bb40a18abbdc3e7a6f7ca57fa010e7e69cfdc53
SHA256

ae176ad581d67efe83434a746a5fe3ec9885a7ec251d1a400d53e48ed634f98f
SHA512

eca64f88b686411957f509c1d64f1573bd83f3ef0f214077405d646d8c87bd34b5ca9b43ce693bc6088f849429740d7f1c2a92f13f19e89ed74f8d247b34dd8f
SSDEEP

12288:bDNLxSK3+fA6r2WV2tZyralIorX0BtF3Z4mxxvet7bzq+xMl3dV6Wx:JxSK3uA6r3QtZG2TQtQmXvetTq+q6Wx

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2680	2.exe
2660	system.com.cn.exe
2648	2.exe

Loads dropped DLL 4 IoCs

pid	Process
3048	57be25415dc0e7c8390230b52f3b3cf0.exe
3048	57be25415dc0e7c8390230b52f3b3cf0.exe
3048	57be25415dc0e7c8390230b52f3b3cf0.exe
3048	57be25415dc0e7c8390230b52f3b3cf0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57be25415dc0e7c8390230b52f3b3cf0.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system.com.cn.exe	2.exe
File created	C:\Windows\system.com.cn.exe	2.exe
File opened for modification	C:\Windows\system.com.cn.exe	2.exe
File created	C:\Windows\uninstal.bat	2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	2.exe
Token: SeDebugPrivilege	2660	system.com.cn.exe
Token: SeDebugPrivilege	2648	2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	system.com.cn.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2680	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	28
PID 3048 wrote to memory of 2680	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	28
PID 3048 wrote to memory of 2680	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	28
PID 3048 wrote to memory of 2680	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	28
PID 2660 wrote to memory of 2696	2660	system.com.cn.exe	30
PID 2660 wrote to memory of 2696	2660	system.com.cn.exe	30
PID 2660 wrote to memory of 2696	2660	system.com.cn.exe	30
PID 2660 wrote to memory of 2696	2660	system.com.cn.exe	30
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 2680 wrote to memory of 1628	2680	2.exe	31
PID 3048 wrote to memory of 2648	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	33
PID 3048 wrote to memory of 2648	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	33
PID 3048 wrote to memory of 2648	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	33
PID 3048 wrote to memory of 2648	3048	57be25415dc0e7c8390230b52f3b3cf0.exe	33

C:\Users\Admin\AppData\Local\Temp\57be25415dc0e7c8390230b52f3b3cf0.exe
"C:\Users\Admin\AppData\Local\Temp\57be25415dc0e7c8390230b52f3b3cf0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

C:\Windows\system.com.cn.exe
C:\Windows\system.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
150B

MD5
24b1050265fe701ac13f0c177fbeaae4

SHA1
2ca1c304445e7a412005bc180863493d34ad38c1

SHA256
69bf5c2f1ec910ad6c02df84788d7c1601ea2e5b498094f6194b35c3aeae3158

SHA512
8dc5e999bd667ec338972957341f2e185ffb7c6f5ba46d9fa0a0746e8c982adf9aaf50b10f2f7813a6b23a3803843af1eb1aa0dfeff8e4d15f10a88e9f754415

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
767KB

MD5
8d887f8c2aea85cb6812f4e3f2df2ffe

SHA1
52012d34102110e448060b9fa501cb0fa6e9d8fd

SHA256
0ec9af76fa5b3ae4bb1cf78d58dc925c364680923aaa14ebd598ca12b459c471

SHA512
d86912a1ae31bfe5af6a674070d32cd02edd31fdfd938a1077766ac89ed77387566e7a64182c458bf849fe3a276388678a511b0c68e6dff21ce4550f81ee78b2

Download Submit
memory/2648-57-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2648-62-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2648-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2660-65-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2660-64-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2660-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2660-70-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2660-43-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2660-42-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2680-52-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/2680-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2680-36-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download
memory/3048-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3048-14-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/3048-10-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3048-9-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3048-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3048-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3048-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3048-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3048-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3048-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3048-29-0x00000000031F0000-0x00000000032B9000-memory.dmp

Filesize
804KB

Download
memory/3048-12-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3048-35-0x00000000031F0000-0x00000000032B9000-memory.dmp

Filesize
804KB

Download
memory/3048-13-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3048-11-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3048-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3048-26-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3048-15-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3048-16-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3048-56-0x00000000031F0000-0x00000000032B9000-memory.dmp

Filesize
804KB

Download
memory/3048-18-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3048-58-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3048-19-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3048-61-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/3048-20-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3048-63-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3048-21-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3048-22-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3048-17-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads